Safety Guard Plugin for Oh My Zsh

🚧 Purpose

A protective Zsh plugin that intercepts Kubernetes CLI commands (kubectl) and prevents accidental changes to production environments. It detects the active context and prompts for confirmation unless explicitly overridden with a safe flag.

---

✨ Features

• Detects "prod" environments based on kubectl config current-context
• Warns users before executing potentially destructive commands
• Allows bypassing prompts via a custom --safe-force flag
• Whitelist of safe subcommands that never trigger warnings
• Configurable via config.zsh

---

🧩 Supported Tools (So Far)

• ✅ kubectl
• (Planned) helm, argocd, aws

---

📁 Installation

1. Clone into your custom plugin directory:

git clone https://github.com/mtahle/kubectl-safety-guard.git ~/.oh-my-zsh/custom/plugins/safety-guard

2. Enable the plugin in your .zshrc:

plugins=(... safety-guard)

3. Restart Zsh:

exec zsh

Note: if you don't use ozsh but only ZSH, use the commands below

git clone https://github.com/mtahle/kubectl-safety-guard.git ~/.safety-guard

source ~/.safety-guard/config.zsh
source ~/.safety-guard/functions/wrap_kubectl.zsh

exec zsh

---

⚙️ Configuration

Edit the file: ~/.oh-my-zsh/custom/plugins/safety-guard/config.zsh

# Keywords that flag a context as production\export SAFETY_PROD_KEYWORDS=("prod" "production" "live")

# Subcommands allowed without prompt
export SAFETY_KUBECTL_SAFE_COMMANDS=(
  "get" "describe" "config" "version" "cluster-info" \
  "api-resources" "api-versions" "logs"
)

# Flag to bypass confirmation
export SAFETY_FORCE_FLAG="--safe-force"

---

💡 Usage

Run any kubectl command:

kubectl apply -f my.yaml

If you're in a prod cluster, you'll see:

⚠️  You are about to run a command on a PRODUCTION cluster: [prod-cluster]
Are you sure? Type 'yes' to continue:

Bypass with:

kubectl apply -f my.yaml --safe-force

---

🧪 Roadmap

• Helm support
• ArgoCD support
• AWS CLI detection
• Logging & audit trail

---

🛡️ License

MIT